Modern commodity computing platforms such as smartphones (e.g., Android and iOS) and smart home systems (e.g., SmartThings and NEST) provide programmable interfaces for third-party integration, enabling popular third-party functionality that is often manifested in applications, or apps. Thus, for the last decade, designing systems to analyze mobile apps for vulnerabilities or unwanted behavior has been a major research focus within the security community. Leveraging the lessons and techniques learned from mobile app analysis, researchers have developed similar systems to evaluate the security, safety, and privacy of smart homes by inspecting IoT apps developed for platforms such as SmartThings. However, emerging characteristics of smart home ecosystems indicate the need to move away from the approach of IoT app analysis, as IoT apps may not be representative of the home automation in real homes, and moreover, be unavailable for analysis or instrumentation in the near future.
In this talk, I will describe the challenges for research in the backdrop of the unsuitability of IoT apps for practical security analysis, and motivate alternate research directions. First, I will motivate the need to develop an alternative to IoT apps that is representative of automation in the wild, in order to enable a practical artifact for building and evaluating security systems for smart homes. To this end, I will describe Helion, a system that leverages the “user-driven” nature of home automation to generate natural home automation scenarios, i.e., realistic event sequences that are closely aligned with the real home automation usage in end-user homes, which are then used for several critical tasks in building and evaluating security systems. Second, I will motivate the need to improve the state of security analysis of mobile companion apps, which often form the weakest link in IoT ecosystems, by systematically and rigorously evaluating the security analyses targeted at them. To this end, I will describe how mutation testing can be leveraged for empirically evaluating static program analysis-based security systems. Our research in this direction has led to two mutation frameworks, and the discovery of critical flaws in leading tools such as FlowDroid, CryptoGuard, Argus, and Coverity that affect the reliability and soundness of their analysis. Finally, I will conclude the talk by describing the lessons learned from our work, as well as by highlighting challenges and opportunities for future research in home automation security.
Adwait Nadkarni is an Assistant Professor in the Department of Computer Science, and director of the Secure Platforms Lab (SPL) at William & Mary. Prof. Nadkarni’s primary research domain is security and privacy, with a focus on emerging platforms, and the areas of operating systems and software security. His research is generously supported by the National Science Foundation (NSF) and the Commonwealth of Virginia’s Cyber Initiative (CCI). Prior to joining William & Mary, Prof. Nadkarni earned his Bachelor of Engineering (BE) in Computer Engineering from the University of Mumbai in July 2011, followed by his Ph.D. and M.S. in Computer Science from the Computer Science Department at the North Carolina State University in May 2017 and December 2012 respectively, both with Dr. William Enck. At NC State, Prof. Nadkarni was a founding member of the Wolfpack Security and Privacy Research (WSPR) Lab, and served as its Lead Graduate Student until May 2017.